Re: [Lsf-pc] [LSF/MM TOPIC] fs-verity: file system-level integrity protection

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Fri, 2018-01-26 at 09:58 -0500, Theodore Ts'o wrote:
> Docker save was going to have to be altered to use IMA, anyway. 

Actually, no, that's not entirely true[1].  Docker save produces a tar
file.  Once the tar on your platform picks up xattrs, docker save just
works for container images with IMA hashes and signatures (and selinux
labels, which was actually the driver for the change).  The point at
which the ecosystem changed to "just work" was the point at which tar
understood xattrs.  That's why I was poking on how do we get tar to
understand this format, following on the way IMA and selinux did it.
 There may be another way of getting this change into the ecosystem,
but ecosystem adoption has to be part of the considerations for this.

We both have our separate focusses: you for apk and me for containers.
 The point is that there should be a way of getting it to work for both
of us.  There may be a simple way based on the work that's already
done:  xattrs are already a bit magic, so all you might need is an
xattr that simply points to the tree and header, then xattr
understanding tar would simply pick up your additional metadata.  Of
course you'd have to be able to set it by writing the xattr so untar
works, but that should be possible.  The file could be instantiated
either by writing the magic format or by writing contents and xattr.
 That would seem to work both for the container and apk use case.

James

[1] For unsigned hashes.  For signatures we need lots of other stuff
like namespace aware keyrings and for the CT deployment system to load
your key onto your namespaced keyring, but in principle the *format*
problem is solved for IMA, the deployment problem of signed hashes
isn't.

>  So I don't see that as being any more difficult.  Whether you have
> to have root to set the magic IMA trusted xattr, or you call a
> userspace library, there isn't much difference between those two.
> 
> 							- Ted
> _______________________________________________
> Lsf-pc mailing list
> Lsf-pc@xxxxxxxxxxxxxxxxxxxxxxxxxx
> https://lists.linuxfoundation.org/mailman/listinfo/lsf-pc
>
[Index of Archives]     [Linux Ext4 Filesystem]     [Union Filesystem]     [Filesystem Testing]     [Ceph Users]     [Ecryptfs]     [AutoFS]     [Kernel Newbies]     [Share Photos]     [Security]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux Cachefs]     [Reiser Filesystem]     [Linux RAID]     [Samba]     [Device Mapper]     [CEPH Development]
  Powered by Linux